Bug 1268830 - Foreman role permission violations are not logging
Foreman role permission violations are not logging
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: GA
: --
Assigned To: Ivan Necas
Katello QA List
: Reopened, Triaged
Depends On:
Blocks: 1122832
  Show dependency treegraph
Reported: 2015-10-05 08:11 EDT by Peter Vreman
Modified: 2017-08-16 14:56 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-07-27 04:57:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 18410 None None None 2017-02-07 07:11 EST

  None (edit)
Description Peter Vreman 2015-10-05 08:11:06 EDT
Description of problem:
Related to BZ1268829 with retrieving the Facts with only the Viewer role.
There is no audit / logging that the user has too less permissions to view the facts.
The logging even shows that the user is Authorized correctly.
That the response will be empty because there is no permission is not logged.
This makes troubleshooting complex what the cause is that no facts are returned.

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com/api/v2/users/viewer | jq .roles
    "id": 19,
    "name": "Anonymous"
    "id": 16,
    "name": "Viewer"

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com//api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 | jq .
  "results": {},
  "sort": {
    "order": null,
    "by": null
  "search": " host = li-lc-1443.hag.hilti.com",
  "per_page": 9999,
  "page": 1,
  "subtotal": 0,
  "total": 0

2015-10-05 11:46:07 [I] Processing by Api::V2::FactValuesController#index as JSON
2015-10-05 11:46:07 [I]   Parameters: {"per_page"=>"9999", "apiv"=>"v2", "host_id"=>"li-lc-1443.hag.hilti.com"}
2015-10-05 11:46:07 [I] Authorized user viewer(viewer )
2015-10-05 11:46:07 [I]   Rendered api/v2/fact_values/index.json.rabl within api/v2/layouts/index_layout (3.0ms)
2015-10-05 11:46:07 [I] Completed 200 OK in 341ms (Views: 27.8ms | ActiveRecord: 47.8ms)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Query facts using a User with only the Viewer role

Actual results:
No logging that the user has to less permissions

Expected results:
Logging that the user has no permissions to view the facts

Additional info:
Comment 2 Peter Vreman 2015-10-05 10:21:36 EDT
I just found that Foreman 1.9 looks like it has this feature with the granualary logging include 'permissions':

Foreman debugging

Edit /etc/foreman/settings.yaml and either uncomment or add these lines:

  :level: debug

And reload Foreman:

touch ~foreman/tmp/restart.txt

Enabling more specific logs

More types of log messages can be enabled from settings.yaml:

    app - web requests and all general application logs (default: true)
    ldap - high level LDAP queries (e.g. find users in group) and LDAP operations performed (default: false)
    permissions - evaluation of user roles, filters and permissions when loading pages (default: false)
    sql - SQL queries made through Rails ActiveRecord, only debug (default: true)

Uncomment or add a :loggers block to enable or disable loggers:

    :enabled: true
Comment 3 Bryan Kearney 2015-10-07 16:53:11 EDT
So 1.9 (which will be included in 6.2) will meet the requirements of this bug?
Comment 4 Peter Vreman 2015-10-08 02:47:28 EDT
Correct, based on the documentation of Foreman 1.9 it will meet the requirements of this bug.
This bug is only minor and needed when you have to troubleshoot a misconfiguration. Target 6.2 is ok for me.
Comment 6 jcallaha 2016-07-12 15:02:40 EDT
Failed QA in Satellite 6.2 Beta Snap 19.1

The logs still do not note when a user is trying to perform an operation they are not authorized to. For example, compare the two log entries below. The second entry does not explicitly log that the user is unauthorized to perform the action they are trying.

[I] Started GET "/api/v2/hosts/5" for at 2016-07-12 14:36:56 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user admin(Admin User)

[I] Started GET "/api/v2/hosts/5" for at 2016-07-12 14:38:03 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user viewer(viewer)
[I]   Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.9ms)
[I] Filter chain halted as :authorize rendered or redirected
[I] Completed 403 Forbidden in 58ms (Views: 4.6ms | ActiveRecord: 11.6ms)


# Log settings for the current environment can be adjusted by adding them
# here. For example, if you want to increase the log level.
  :level: debug

# Individual logging types can be toggled on/off here
    :enabled: true
    :enabled: true
Comment 7 orabin 2016-07-13 04:36:57 EDT

In the output of the log from comment 6 the user without authorization gets: Completed 403 Forbidden which does indicate there is an authorization issue.

What I understand from the description of the bug is that the problem is only when everything in the log looks good (Completed 200 OK) but you don't see the full output because of permissions.
Does that case work with the settings change?
Comment 8 jcallaha 2016-07-15 08:41:13 EDT
The question may be more suited for the reporter. While 403's could potentially be considered to be showing when a user doesn't have permissions, I would personally like to have seen a more explicit log of a role permissions violation. The text returned by the API is a great example of such a message. Is it possible to have this response logged as well, like normal responses are?

  "error": {
    "message": "Access denied",
    "details": "Missing one of the required permissions: view_hosts"
Comment 9 Peter Vreman 2016-07-15 09:24:15 EDT
As a UI User I expect a clean error message instead of the content being show. This should be all in the same UI web page and not a generic Forbidden page. Because as a User i might be continueing to click on the an other content to be shown.
Comment 11 errata-xmlrpc 2016-07-27 04:57:03 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 14 Ivan Necas 2017-02-07 07:11:25 EST
Created redmine issue http://projects.theforeman.org/issues/18410 from this bug
Comment 15 Ivan Necas 2017-02-07 07:17:42 EST
With permissions logging enabled, the denials were still not logged fully in API. In fix https://github.com/theforeman/foreman/pull/4257, I've added logging of reason for permissions denials for API + changed the level
in UI logging from debug to info, as I believe this information is on
different level than other debug info from permissions.
Comment 18 Zach Huntington-Meath 2017-08-16 14:56:49 EDT
I verified this on on snap-11.0 the steps I took were

1. Created a user with only viewer roles


curl -s -u tester:changeme https://ibm-ls21-04.rhts.eng.bos.redhat.com/api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 
  "total": 0,
  "subtotal": 0,
  "page": 1,
  "per_page": 9999,
  "search": " host = li-lc-1443.hag.hilti.com",
  "sort": {
    "by": null,
    "order": null
  "results": {}

3. Then I checked in the production log and found:

2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)
2017-08-16 14:53:52 31a4650f [app] [I] Authorized user tester(testy )
2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)

Note You need to log in before you can comment on or make changes to this bug.